DHS Disses Security of FEMA Database

By Lisa Vaas  |  Posted 2005-11-11 Print this article Print

In the midst of a barrage of criticism regarding its handling of Hurricane Katrina, the Federal Emergency Management Agency is also now facing criticism that its Emergency Preparedness and Response database has lousy security controls.

In the midst of a barrage of criticism regarding its handling of Hurricane Katrina, the Federal Emergency Management Agency is also now facing criticism that its Emergency Preparedness and Response database has lousy security controls. A recent report from the Department of Homeland Securitys Office of Inspector General (PDF download required) states that it has audited the DHS and its organizational components security program in order to evaluate the security and integrity of certain sensitive—although unclassified—mission-critical databases. The audit covered access controls, continuity of operations, and change management policies and procedures in order to determine whether FEMA had implemented adequate security over sensitive data in NEMIS, its National Emergency Management Information System.
The audit found that although FEMA has implemented some security controls for NEMIS, more work needs to be done.
Specifically, the DHS Inspector General found that FEMA has failed to implement effective procedures for granting, monitoring and removing user access. Nor has FEMA conducted IT contingency training or testing, according to the report. Also, NEMIS servers suffer vulnerabilities in the form of access rights, password administration and configuration management, the audit found. "Due to these database security exposures, there is an increased risk that unauthorized individuals could gain access to critical EP&R database resources and compromise the confidentiality, integrity and availability of sensitive NEMIS data," wrote Richard L. Skinner, inspector general, in the report. Whats at stake? EP&R may be unable to recover NEMIS following a disaster, Skinner wrote. The report was edited to omit the name of the databases vendor and any identifying details. But according to the Web site of Anteon, a major Oracle reseller, the system runs on Oracle 8 databases. The reseller developed NEMIS using Microsoft NT, workflow mapping and a fully distributed Oracle 8 database. According to Anteons site, NEMIS comprises an online reference library to improve FEMAs communication and information dissemination; a Web-based image storage and retrieval system to provide access to disaster-related documents; interfaces to facilitate the exchange of related data between NEMIS and partner systems; and nationally distributed system architecture and cross-program/replicated database structure. "We designed and implemented the distributed databases using the symmetric replication feature of Oracle 8 to manage and consolidate data synchronization, ensuring timely data availability to FEMA and FEMA partner personnel around the country," Anteon says on its site. The Department of Homeland Security is trying to convince operators of the nations communications infrastructure to invest in better security. Click here to read more. According to the DHS report, FEMA officials have pledged to take corrective action to address certain vulnerabilities identified during technical testing. However, the auditors had not verified that the vulnerabilities had been remedied by the time the report was published. In addition, EP&R failed to provide a plan of action for correcting some 56 vulnerabilities. The DHS is recommending that FEMA direct its CIO to ensure that adequate controls for granting, monitoring and removing user access to NEMIS be implemented; that an IT contingency training and testing program for NEMIS be rolled out; and that FEMA draw up a corrective action plan to address other vulnerabilities and configuration weaknesses. As it now stands, Skinner wrote, FEMA has failed to "[fully align] its security program with DHS overall policies, procedures, or practices." For example, Skinner wrote, "security controls had not been tested in over a year; a contingency plan has not been tested; security control costs have not been integrated into the life cycle of the system; and system and database administrators have not obtained specialized security training." FEMAs response, included in an appendix to the report, states that in order to address the audits complaints, one of its responses will be to implement Oracle Database Auditing "in the near future." "These audit logs, along with system, Oracle Listener, Apache and application logs, will be stored in a central location and will be archived for seven years, in accordance with DHS policy," FEMA wrote in its response. Check out eWEEK.coms for the latest database news, reviews and analysis.
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel